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Abstract 

A mix network by Wikstrom fails in correctness, provable privacy and soundness. Its claimed 
advantages in security and efficiency are compromised. The analysis in this paper illustrates 
that although the first two failures may be fixed by modifying the shuffling protocol, the last 
one is too serious to fix at a tolerable cost. Especially, an attack is proposed to show how easily 
soundness of the shuffling scheme can be compromised. Moreover, the most surprising discovery 
in this paper is that it is formally illustrated that in practice it is impossible to fix soundness of 
the shuffiing scheme by Wikstrom. 

1 Introduction 

Shuffling is a very important cryptographic technique to build mix network, which is popular kind 
of anonymous communication channel. The most important application of mix network is electronic 
voting, which is a highly sensitive application with critical requirements on security. As large-scale 
election applications may involve a very large number of voters, high efflciency is often desired in 
e- voting. In recent years, a few shuffling-based mix network schemes [U O [211 ESl [29l [Ml [39l [30l [Ml 
[Ml [371 [in [211 [2Z! have been proposed. They claim to achieve strong security and high efflciency. 
Among them, the most efflcient in computatior0 are [M], [28] and [44]. However, all of these three 
schemes have weakness in security, although with difference in kind and degree. 

As explained in Appendix [Al the shuffling schemes in [M] and [28] have some drawbacks, 
which make them unsuitable for applications with very critical security requirements like political 
e-voting. Although the drawbacks of ^39j and [28J limit their application, if they are not applied to 
applications with very high security requirements, they are still very useful in practice. As a result, 
if it is as secure as it claims, the shuffling scheme in [H] is the most efficient solution in computation 
still remaining secure for shuffling based e-voting. An important question is: is the shuffling scheme 
in as secure as it claims? Our analysis demonstrates that the security problems in [H] are 
much more serious than in [39j and ^28j and compromise the most important security properties. 

Our analysis start with a more obvious but less serious problem: the shuffling scheme in |44] 
fails in correctness (defined in Section [2]) and its proof of zero knowledge is based on incorrect 
operations. As a result, to fit the proof of zero knowledge, a valid shuffling operation must risk 
a failure in verification. Our analysis illustrates that due to two reasons, keeping the shuffling 



^Like most work in shufHing, we focus on computation when discussing efficiency as in most cases communicational 
cost is a monotone function of computational cost. The only exception is [27], which sacrifices computational efficiency 
to achieve high efficiency in communication. 
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scheme unchanged and decreasing the probability of failure of correctness by using special param- 
eter setting is not an effective method to improve security. Firstly, there is a dilemma between 
correctness and provable zero knowledge and decreasing the probability of failure of correctness will 
increase the probability of failure of proof of zero knowledge. Secondly and more importantly, as 
explained later the same inappropriate operations compromising correctness prevent the author's 
suggested method from implementing soundness as well. An appropriate modification can achieve 
correctness and at the same time make implementation of soundness as suggested by the author 
possible (although not necessarily guaranteeing soundness). So a more comprehensive countermea- 
sure is needed and thus a modification is proposed in this paper to fix the shuffling scheme in 04] 
and achieve correctness. As this modification affects provability of zero knowledge, a new privacy 
analysis is needed to demonstrate achievement of statistical zero knowledge in the modified shuf- 
fling protocol. As explained later, this modiflcation is necessary in trying to implement author's 
suggested method to achieve soundness. 

A more serious, more fatal but less obvious problem of [44] lies in soundness (defined in Sec- 
tion [2]). A key technique to guarantee soundness of the shuffling scheme in [H] is range proof, which 
must be run multiple times to guarantee that multiple integers are in a special range. However, 
range proof is not implemented in [H]. On one hand, in the outline of the shuffling scheme in 
[44j . range proof is emphasize to be necessary; on the other hand, in the detailed and complete 
implementation of the shuffling scheme, range proof is not implemented or even mentioned in any 
of the multiple operations depending on it for soundness. So there is a mystery: is range proof in 
[44j too simple and too straightforward so ignored in the implementation or too difflcult and too 
controversy so avoided in the implementation? As it determines soundness of the shuffling scheme 
in [H], the most efflcient still-surviving shuffling scheme, this question must be answered. However, 
as the information about the details of range proof in |44j is only a vague sentence, it is not easy 
to figure the question out. Too sketchy description of key operation leaves a few doubts for the 
readers to clear. Firstly, is the author really aware the necessity of range proof? How important is 
range proof? Can it be ignored? Secondly, can the range proof primitive suggested by the author 
implement range proof in his shuffling scheme? Can we ask the author to give an implementation 
with detailed parameter setting and operations? If his method fails, does it just cannot work or 
need optimisation in details (e.g. parameter setting and operational details)? Can we adjust the 
parameter setting or operational details to fix the problem? If the adjustment is difficult, can we 
formally prove that his method is irremediable and cannot be fixed at all? Thirdly, even if the 
author's range proof cannot work at all, can it be replaced by other range primitives unknown 
to the author? Can another technique implement range proof in the shuffling scheme in |44J at a 
tolerable cost? To discover the truth, we need to answer all the questions. 

When the given information is not enough and many possibilities are left, the most reliable 
way to handle it is to explore and try every possibility. If every possible detailed implementation 
for a method is shown to not work, the method must fail. When there are a few doubts about 
a scheme, the most responsible method to assess it is to discuss and answer the doubts one by 
one. More doubts are verified to be problems, more sure are the readers about failure of the 
scheme. In this way, we can attack a scheme and demonstrate its failure in the most convincing 
way, leaving no space for any excuse or defense, even if its problems are hidden in incomplete, vague 
and sketchy descriptions. Firstly, an attack is proposed to completely compromise soundness of the 
shuffling scheme in [H] in absence of range proof. The attack allows invalid shuffling to pass the 
verification of the shuffling protocol in [44j . so the shuffled messages can be tampered with without 
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being detected. So its missing in the detailed implementation is an inexcusable mistake. If the 
implementation cannot be provided, the shuffling scheme definitely fail in soundness. Secondly, it 
is clearly demonstrated that the range proof primitive suggested by the author cannot implement 
range proof either in his original shuffling scheme or in the shuffling scheme modified by us to achieve 
correctness and make implementation of soundness possibl^. Further analysis formally illustrates 
that the range proof primitive suggested in [44J is irremediable and always violates soundness of 
the shuffling scheme no matter how it adjusts parameters and details. So the problem in soundness 
of [HI is not only incompleteness in the claimed complete and detailed implementation, but also 
an irremediable mistake of unimplementability of key operation, which cannot be fixed at all and 
so cannot be excused as carelessness in implementation details. Thirdly, every other range proof 
primitive not mentioned by the author is explored and each of them is demonstrated to greatly 
deteriorate efflciency of the shuffling scheme in [SJ and turn it into one of the least efflcient shuffling 
schemes if being employed. Thus, the final chance to maintain security and efficiency of the shuffling 
scheme in [44j is eliminated. Therefore, it is concluded beyond any doubt and excuse that soundness 
not only fails but also cannot be fixed at a tolerable cost in the shuffling scheme in [H], which is 
the most important contribution and most surprising discovery in this paper. 

2 Background: the Shuffling Scheme in [44] 

In a shuffling protocol, a shuffling node re-encrypts and reorders multiple input ciphertexts to some 
output ciphertexts such that the messages encrypted in the output ciphertexts are a permutation 
of the messages encrypted in the input ciphertexts. Shuffling is usually employed to build up 
anonymous communication channels and its most important application is e-voting. The following 
properties must be satisfied in a shuffling protocol. 

• Correctness: if the shuffling node strictly follows the shuffling protocol, the shuffling protocol 
ends successfully and the plaintexts encrypted in the output ciphertexts are a permutation 
of the plaintexts encrypted in the input ciphertexts. 

• Public verifiability: the shuffling node can publicly prove that he does not deviate from the 
shuffling protocol. 

• Soundness: a successfully verified proof by a shuffling node guarantees that the plaintexts 
encrypted in the output ciphertexts are a permutation of the plaintexts encrypted in the 
input ciphertexts without any trust assumption on the shuffling node. 

• Zero knowledge (ZK) Privacy: The permutation used by the shuffling node is not revealed. 
More formally, a simulating transcript indistinguishable from the real shuffling transcript can 
be generated by a polynomial party without any knowledge of the shuffling node's secret 
inputs. 

Shuffling is frequently employed in anonymous communication and its most important appli- 
cation is electronic voting, where the voters need to anonymously cast their votes. As stated in 
Section [H the shuffling scheme in [H] is a very efficient solution to shuffling based e-voting. Its 

^As discussed before, the original shuffling scheme in 44, is inconsistent with the author's suggested method 
to implement soundness, while the shuffling scheme modified by us to achieve correctness avoids the contradiction 
although not necessarily guaranteeing soundness. 
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main idea is simple. Suppose N ElGamal ciphertexts {ui,vi), {u2,V2), ■ ■ ■ , {uj^,V]\[) are input to 
a shuffling node, which then outputs ciphertexts {ui,v[), (^2,^2), • • • , {u'^^v'^). To prove that the 
messages encrypted in (it'^,?;^), («2,t'2), • • • , (^^jv'^Af) ^ permutation of the messages encrypted 
in (ui, fi), (u2, • • • , {un,vn), given random primes pi,P2, ■ ■ ■ ,Pn in [2^'^~^, 2^^ — 1] ([ ] stands 
for a range of consecutive integers as defined in [S]), the shuffling node only needs to prove that 
he knows secret integers pi, p2, ■ ■ ■ , pn and 7r(), a secret permutation of 1, 2, . . . , A^, to satisfy 

nli{D{u,,v,)r = uli{D{u'„vi)y^, (1) 

Pi=Pn{i) ior i = 1,2,..., N. (2) 

where D{) stands for decryption. For privacy of the shuffling, neither any pi nor 7r() can be revealed 
in the proof. It has been illustrated in [29] that ([1]) and guarantee that the messages encrypted 
in {u[,v'i), {u2,V2), . . . , {u'j^,v'j^) is a permutation of the messages encrypted in {ui,vi), {u2,V2), 
{un,vn)- Soundness of this idea is more formally proved in [38^ I40j . For all the shuffling 
schemes employing this idea, satisfaction of ([1]) is easy to prove and the key technique is how to 
prove satisfaction of ([2]). The method to prove ([2]) is claimed to be more efflcient in [44j than in 
[29] and [381 SO]- Satisfaction of ([2]) is reduced to satisfaction of the following three equations in 
[44] where choice of K and its relation to other parameters are absent in [44J and will be discussed 
later in Section [4.21 

-2^ + 1 < /), < 2^ - 1 for i = 1,2,... ,7V (3) 
UliPi = UliPi (4) 
Elim = EliPr (5) 



A detailed proof protocol called Protocol 2 is employed in [44] to implement proof of ([3]) , ([11 and 
([5]). Note that Protocol 2 is not a sketchy outline but supposed to be a complete implementation 
with every detail of the shuffling scheme in [44] . Proof of @ and ([5]) is a straightforward application 
of zero knowledge proof of equality of discrete logarithms |14| , so quite easy. The key technique is 
proof of satisfaction of ([3]). As Protocol 2 in [H] is a quite complex 7-step proof protocol, it is not 
recalled here in its fully complete form and interested readers can find its fully complete description 
in [44]. However, the operations closely related to proof and verification of (|3]) in Protocol 2 in |44j 
is extracted as follows where definition of all the involved integers can be found in |44] . 

• In Step 6 of Protocol 2 in [H] , the prover calculates and publishes 

a = cti + Si mod 2^2+^4+2^5 (6) 

e'i = ct[ + s[ mod 2^2+/^4+2i^5 (7) 

di = cp^^^^ + n mod 2^3+^4+i^5 (8) 

e = ct + s mod 2^2+^^3+/^4+i^5+iog2 n (9) 

e' = ct' + s' mod 2^2+-^5+i°g2 ^ (10) 



where K2, K3, K4, are integers defined in [44] as security parameters. 
In Step 7 of Protocol 2 in |44] , it is verified 

b^7^ = h^'^-i (11) 
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h'li^ = h^g'^^ (12) 

{hlai, {V/b2ra2, Was) = (13) 

(bf7^, (h'H) = (h^^ht,, h<g^') (14) 

(g-ntiP>b^)^7 = h^ (15) 

EN , 

v« -i^'niIibD^7 = h^ (16) 



It is claimed in [U] that the shuffling protocol as described in Protocol 2 is a complete imple- 
mentation to achieve correctness, soundness and zero knowledge in privacy. 



3 Correctness and Provable Zero Knowledge — Failure and Fixing 

In this section correctness and provability of zero knowledge of the shuffling protocol in |44j are 
shown to fail as key operations employ wrong moduli. Our analysis illustrates that due to two 
reasons, keeping the wrong moduli and decreasing the probability of failure of correctness by us- 
ing special parameter setting is not an effective method to improve security. Firstly, there is a 
dilemma between correctness and provable zero knowledge and decreasing the probability of failure 
of correctness will increase the probability of failure of proof of zero knowledge. Secondly and 
more importantly, as explained later the wrong moduli prevent the author's suggested method 
from implementing soundness as well. So a modification is proposed to achieve correctness, while 
provability of zero knowledge and soundness are taken into account. We have to emphasize that it 
is still needed to prove achievement of statistical zero knowledge in a new proof method. As such 
needed proof or argument in statistical sense have been used in similar circumstances [42l [71 [TO] 
and can be adopted in the shuffling protocol in [44j, they are not detailed in this paper due to 
space limitation. As explained later, this modification is necessary in trying to implement author's 
suggested method to achieve soundness. 



3.1 Failure of Correctness 

Correctness of the shuffling scheme in [H] requires that if the shuffling node strictly follows the 
shuffling protocol and does not deviate from it in any way, he can pass all the verifications in Step 7 
of Protocol 2 in [44j- However, satisfaction of ([III , ([l2|) , ([131) , ([111) , ([l5]) and ([l6]) is not guaranteed 
in |44] even if the shuffling node strictly follows the shuffling protocol and does not deviate from it. 
More precisely, although 1^2), ([IS), ([ED, ([HI, ([ISJ and ([ISl) are satisfied when 



ei = cti + Si in Z, (17) 

e'i = ct[ + s'i in Z, (18) 

di = cPtt{{) + Ti in Z, (19) 

e = ct + s'm. Z, (20) 

e' = ct' + s' in Z, (21) 



their satisfaction are not guaranteed when ([71), ([8|, ([9l) and ([TOl) are employed in Step 6 of 
Protocol 2 in ^ as 
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• the order of h is (p — l)(q— l)/2 instead of 2^2+-ft'4+2i^5 a,nd cti + Si, ct'- + s'^ distribute beyond 

• the order of gi is q as set in Section 2 of fl3] instead of 2-^3+^'*+-^5 and cp^(j) + rj distributes 
beyond 2^3+i^4+X5. 

• the parameter setting of the encryption algorithm in Section 4 of [44| implies that the order 
of M- is q instead of 2^3+i^4+i^5 ^nd cp^(j) + distributes beyond 2^^~^^*~^^^; 

• in Section 4.5 of [44] . the author assumes rrij G Gg, so the order of f • is q instead of 2^3+^4+^!'5 
and cp7r(j) + distributes beyond 2^3+^4+i<'5. 

• the order of h is secret and not 2^2+^-f^3+^f4+i^5+iog2 iv ^^^^ distributes beyond 2^2+^-^3+ii"4+if5+iog2 iv. 

• the order of h is secret and not 2'^2+K5+iog2 Af ^^i _^ gi distributes beyond 2'^2+i^5+iog2 Af_ 

where p, q and q are secret system parameters defined in [U] and cannot be used by the prover. 
In Section 13.21 Section 13.31 and Section 14.21 it is illustrated that the problem in correctness cannot 
be solved by reducing the probability that correctness fails. 

3.2 Dilemma between Correctness and Proof of Zero Knowledge 

Failure of correctness seems to be a careless mistake and easy to fix. Removing the moduli when 
calculating Cj, e-, di, e, and e' will lead to complete correctness. Alternatively, setting the param- 
eters with appropriate values can make the probability that the moduli are used in calculating the 
five integers negligible and thus guarantee correctness with a large probability. However, it is not 
so simple. Let's see why moduli different from the orders of the responses are employed. When 
the orders are unknown, isn't the non-modulus calculation simpler and completely consistent with 
correctness? The reason is that the moduli are employed and they need take effect in calculation of 
the responses with a large probability as strict and formal zero knowledge is desired in [44J . So both 
these two countermeasures contradict proof of zero knowledge in [13] . Zero knowledge of Protocol 
2 in |44J is proved in Proposition 1 in D.l in Page 31 of ^45j (2005 Version), in which an explicitly 
emphasized necessary condition for zero knowledge of Protocol 2 is that 

• a = cti + Si mod 2-^2+^^4+2X5 sucJi that Cj is uniformly distributed in ^2^2+^4+2x5 and thus 
can be simulated; 

• e[ = ct[ + s[ mod 2-^2+^^4+2X5 su^j^ that e[ is uniformly distributed in ^2X2+^4+2x5 and thus 
can be simulated; 

• di = cp^^i^i-^ + Tj mod 2^3+-^4+X5 g^^j-^ that di is uniformly distributed in Z2K3+X4+X5 and thus 
can be simulated; 

• e = ct+s mod 2-^2+A^X3+X4+_R:5+iog2 N g^^j^ that e is uniformly distributed in Z2X2+ivx3+x4+x5+iog2 jv 
and thus can be simulated; 

• e' = ct' + s' mod 2-^2+X5+iog2 N g^(,]^ that e' is uniformly distributed in Z2X2+x5+iog2 at and 
thus can be simulated. 
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So the modulo computations in ([HD , ([TD , ([5]) , @ and pUj) are deliberately used for the sake of proof 
of zero knowledge in [44j. Both the two countermeasures calculate the five integers without any 
modulus with at least an overwhelmingly large probability. In this case, their distribution is not 
uniform as claimed and needed in Proposition 1 in Instead, their distribution is more dense in 
the middle of their distribution range and more sparse near the edge of their distribution range. So 
the proof of Proposition 1 in [44j fails and new proof of zero knowledge is needed. Actually, with 
both the two countermeasures the five integers become monotone functions of five corresponding 
secret integers with at least an overwhelmingly large probability, so publication of them reveals 
some information about the secret integers and thus (at least partially) compromises the claimed 
zero knowledge property. This dilemma will be solved in Section 13.31 

3.3 Fixing the Two Drawbacks 

To fixing the two drawbacks, we only have the following two options, either keeping the wrong 
moduli or removing them. 

• Option 1: 

Still employing ([6]), ([7]), ([8]), ([9]) and (fTO|) with the wrong moduli in Step 6 of Protocol 2 in 
|44j and relying on its Proposition 1 for zero knowledge, with a hope that the probability of 
failure of correctness is low or even negligible without compromising proof of zero knowledge. 
This hope is unrealistic as 

— if the modulus computation takes effect with a large probability when a response is 
calculated as it otherwise overfiows the modulus, correctness of the shuffling scheme 
fails; 

— if the modulus computation does not take effect with a large probability when a response 
is calculated as it is small enough, proof of Proposition 1 and thus zero knowledge 
property in [31] fail as explained in Section [3. 2[ 

So with this option, correctness and provable zero knowledge cannot be achieved simultane- 
ously and at least one of them must fail in [44] no matter how parameter setting is adjusted. 

• Option 2 

Since modulo operations are expected to take effect with a negligible probability for the sake 
of security, why not remove them? Employing the modified operations (fT7|) . p^ . (fT9]) . (f20|) 
and (I2ip in Step 6 of Protocol 2 in [44] . abandoning its Proposition 1 and designing a new 
proof mechanism to demonstrate zero knowledge. In doing this, the following difficulties must 
be noticed. 

— As the responses are calculated without any modulus and become monotone functions 
of the corresponding secrets, when the secrets are unknown they cannot be simulated 
without any difference. So proof of ZK must be upgraded. 

— The new zero knowledge proof is more complex as it involves statistical ZK [421 13 H3t [TO] , 
which proves two distributions are different but cannot be distinguished. That may 
be the reason why the modulo computations are still employed in calculation of the 
responses in [44j although they compromise correctness. 
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A comprehensive solution is designed based on Option 2. Namely, the modified operations (|17p . 
(fT8l) . (fT9D . (I20D and (HH) are adopted in Step 6 of Protocol 2 in [S] and the modified protocol 
is called MP2 (modified protocol 2). This choice is made due to two reasons. Firstly, Option 1 
cannot handle the dilemma between correctness and provable zero knowledge in [44J. Secondly, as 
discussed in Section [4.21 Option 1 is inconsistent with the author's suggested method to implement 
soundness. As mentioned before, MP2 only achieves statistical zero knowledge and thus modeling 
and analysis of ZK privacy of the shuffling scheme must be completely upgraded using statistical 
zero knowledge techniques. Fortunately, proof of achievement of statistical zero knowledge in the 
case of MP2 is a mature technique and has been specified and explained very clearly in the literature 
[421 \7\ B3l llOj . So due to space limit, its details are not provided here and interested readers can 
read the literature. 

4 A More Serious Problem: Failure and Infeasibility of Soundness 

In this section, soundness of the shuffling scheme in ^44j is demonstrated to fail. A very important 
operation is missing and cannot be implemented as suggested. The method suggested for the 
implementation is formally illustrated to fail and to be irremediable. The efflciency claim in [U] 
implies that no alternative method (e.g. |6| or [34J) is efflcient enough for the implementation. 
The most important and surprising discovery is that we can formally prove that no modification 
or optimisation can satisfactorily fix the problem in soundness. 

To achieve soundness in the shuffling scheme in [Hj, Protocol 2 as a complete implementation of 
it must guarantee that ([3]), dH) and ([5]) are satisfied. Satisfaction of ^ and ^ is straightforward, 
but we find no way to satisfy ^ in Protocol 2 in [44] . Actually, parameter K is not mentioned in 
any way in Protocol 2 in [44J, which is K free and thus ([3]) free. Then how can Protocol 2 in |4^ 
guarantee ([3])? We test Protocol 2 in [44j and find that as long as (j4]) and ([5]) are satisfied the prover 
can always pass the verification of Protocol 2 in [44j no matter whether —2^ + 1 < < 2^ — 1 
is satisfied for any chosen K. Actually, once (j4]) and ([5]) are satisfied, no additional requirement 
on any pi (e.g. requiring it to be in [-2^ + 1,2^ - 1] or any other range) is needed to pass the 
verification in Protocol 2 in [44J. To more convincingly demonstrate vulnerability of Protocol 2, 
an attack is proposed to compromise soundness of in |44] . Note that Protocol 2 is not a sketchy 
outline but supposed to be a complete implementation with every detail of the shuffling scheme in 
|44j . So there is a problem of incompleteness in implementation. 

Our analysis demonstrates that the problem in range proof in |44] is not only incompleteness 
in the claimed detailed and complete implementation, but also a complete failure of range proof 
suggested by the author. To confirm the author's suggestion, a comprehensive analysis of avail- 
able tools is employed to clarify a vague and sketchy hint, which may have hidden the problem. 
Our method is to have a comprehensive survey of every possibility and eliminate each infeasible 
choice, so that the only possible choice can be found, which mostly fits the author's suggestion and 
meets the efficiency claim but cannot work. This method finds that although the original shuffling 
scheme in |44) is inconsistent with the author's suggested method to implement soundness, there 
is no contradiction between MP2 and the author's suggested method to implement soundnes^. 
Unfortunately, it is then formally illustrated that even if range proof is implemented as suggested 
in [Hj in MP2 it cannot guarantee satisfaction of ([3]). Moreover, it is formally illustrated that the 

^This discovery has been mentioned in Section [T] Section [3] and Section [3.31 and will be detailed in Section |42] as 
a reason for modifying the original shuffling scheme in [44] into MP2. 
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problem cannot be fixed by modifying the range proof technique (e.g. adjusting parameters or other 
details). In addition, alternative range proof techniques (which are not considered or mentioned in 
|44j ) cannot fit the requirements on security and efficiency of [H]. Therefore, beyond any doubt 
and excuse soundness not only fails but also cannot be fixed at a tolerable cost in the shuffling 
scheme in |44j . 

4.1 An Attack against Soundness 

When ^ is not satisfied, satisfaction of ([2]) cannot be guaranteed by only ^ and ([5|). Therefore, in 
the shuffling scheme in [44] , as ([3]) is not guaranteed the messages encrypted in the output cipher- 
texts are not guaranteed to be a permutation of the messages encrypted in the input ciphertexts 
and thus its soundness fails. More precisely, when the sum of piS equals the sum of piS and the 
product of PiS equals the product of pjS, there is no guarantee that piS is a permutation of piS. When 
only @ and ([5]) are satisfied, a simple attack and be launched so that piS is not a permutation of 
PiS. A shuffling node chooses some pi as the products of multiple pi^s and 1 or -1 and some other 
Pi as 1 or -1 such that the sum of piS equals the sum of piS, just so simple. There are many such 
choices for the attack to succeed. A simple example is N = 10, pi = p2 = ■ ■ ■ = pio = 2 while 
Pi = P2 = P3 = Pi = 4, p5 = pe = 2, pt = ps = 1 and pg = pio = —1. Another simple examples is 
N = 10, pi = p2 = 2, _p3 = _p4 = 3, p^= pq = 5, pj = ps = 7, pg = piO = 11 while pi = p2 = 22, 

P3 = P4 = 15, P5 = P6 = -7, P7 = P8= P9= PW = "l- 

Readers can easily verify that these two examples can pass the verification operations in [44J 
while PiS is not a permutation of piS. We checked each of the three membership tests and the 
eight equations in the verification (Step 7) of Protocol 2 in [44] and found that none of them can 
detect this attack. So this attack can pass the verification of the shuffling scheme in [H]. Although 
the on-line version of ^45] is modified recently to defend its mistake, concrete counter-examples 
are much more convincing than its argument. We wrote a computer program to search for such 
examples given pi,P2, ■ ■ ■ ,Pn and found countless of them, each of which is a counterexample to 
Protocol 2 in [H]. Although our program uses brutal- force search, the search is still fast on a 
normal desktop when is not large. When the attack works with an A'^i, it works as well with 
a larger as putting an incorrect permutation of A'^i ciphertexts and a correct permutation of 
N2 — Ni ciphertexts together produces an incorrect permutation of N2 ciphertexts. So the attack 
can always be efflcient no matter how large N is. It has been illustrated in [29^ \38\ [40] that when 
the PiS is not a permutation of the piS, incorrect shuffling can satisfy ([1]) and pass the verification 
and thus soundness of shuffling is broken. So this attack compromises soundness of shuffling in (44j . 

This attack convincingly shows how serious the crisis of soundness is when proof of ^ is not 
implemented. So there is a question: in [44], as a very important operation, is proof of Q omitted 
due to the author's carelessness or just infeasible to implement as efflciently as claimed? 

4.2 Comprehensive Analysis to Clarify the Author's Suggestion 

Last subsection convincingly demonstrates the necessity of ([3]) with a concrete countermeasure. 
Note that ([3]) contains instances of range proof, in which a prover commits to (or encrypt) 
an integer and then proves that the committed integer is in a certain range consisting of some 
consecutive integers. If the author had thought range proof is too simple and straightforward in 
his shuffling scheme and thus had ignored it or he had been careless and forgotten to implement 
it, the range proof technique suggested by him would be able to implement range proof in his 
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shuffling scheme. The only clue about range proof in [H] is "We then note that a standard proof 
of knowledge over a group of unknown order also gives an upper bound on the bit-size of the 
exponents, i.e., it implicitly proves that Pi G [-2^ + 1, 2^ - 1]", which seems to suggest a method 
to implement range proof. As it is quite vague and provides no further detail or citation and its 
implementation is missing in Protocol 2 in [44], more work is needed to confirm and instantiate the 
author's suggestion. 

As no novel range proof technique is proposed in [44j, it can only employ an existing range 
proof technique to implement proof of ([3]). We need to eliminate the possibility that the author 
has another range proof technique in his mind, but forgets to include it in the description of the 
shuffling protocol in |44j by carelessness. Let's examine whether any of the existing range proof 
techniques fits the shuffling scheme in [44] . 

The most straightforward range proof technique is ZK proof of partial knowledge [16], which 
proves that the committed integer may be each integer in the range one by one and then link the 
multiple proofs with OR logic. It has a drawback: low efficiency. It is well known that it can be 
optimised by sealing the committed integer bit by bit and proving each commitment contains a bit. 
However, the optimised solution is still inefficient especially when the range size is large. 

Boudot notices that is a computationally binding commitment of x in Z when the order of g 
is unknown. Thus a computationally binding commitment function can be designed and any non- 
negative committed integer can be proved to be non-negative by showing that it is no smaller than 
a square. So Boudot employs commitment of integers in Z instead of the traditional commitment 
of integers with a modulus in his range proof [6]. This special commitment function enables him 
to reduce range proof in a range R to range proofs easier to implement. As a result his scheme 
achieves asymptotical precision. Moreover, it is more efficient than the solution based on [16j . 

Commitment of integers in Z is employed in [M] as well, which combines it with an interesting 
fact: any non-negative integer can be written as the sum of four squares. The range proof scheme 
in [34] employs an algorithm to find the four squares to sum up any non-negative integer and then 
prove that the integer is non-negative through a proof of knowledge of the square roots of the 
four squares. In this way, it implements range proof and achieves completely perfect precision. 
Moreover, it has a constant cost independent of the range size. 

As the range proof techniques in [6j and \3^ are still not efficient enough, a very efficient range 
proof is widely used. It is not systematically proposed in any single paper, but employed in a wide 
range of applications [i|20l[IIl|71|3lll2l[I71[I21iai3ll[iai32l|33llli|2a The idea is simple: 

to prove that a secret integer x is in a range R, a monotone function of x, cx + r m Z is published. 
li cx + r is in a range R', x can be guaranteed to be in R. We call this method monotone test. 
Unlike the other range proof techniques, monotone test is not a general solution to range proof and 
its application has some special limitations (e.g. in choice of R, R' , x and other parameters) as 
pointed out in [6] (Details like discussion of expansion rate can be found in [6]). 

Which range proof technique may the author plan to employ to implement his shuffiing scheme 
in [lU? We can deduce that it must be monotone test due to the following reasons. 

• It slightly modifies an already employed proof of knowledge of discrete of logarithm without 
employing any additional operation, so fits the author's suggestion "proof of knowledge over 
a group of unknown order also gives an upper bound on the bit-size of the exponents, i.e., it 

implicitly proves " ; while the other range proof technqiues needs explicit and addtional 

operations and should have been explictly described in Protocol 2 in [44j if employed. 

• Only monotone test meets the efficiency claim of ^44j (in Section 5.5 of as it needs no 
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extra cost. The other range proof technqiues are too costly for [44j. Even |6J, the most 
efficient of them, needs 40n more exponentiations to implement the range proofs in ([3]) 
and will contradict the efficiency claim of [S] and make it the least effcient shuffling scheme 
in the past decade. 

If the A^ instances of missing range proof in the shuffling scheme in [44j is implemented with 
monotone test, calculation of di in Step 6 of Protocol 2 in |44) must be modified into 

di = cp^{i) +ri in Z 

such that di becomes a modulus- free monotone function of pi = PT^(iy Namely, as mentioned before 
the original shuffling scheme in ^44j must be modified into MP2 to fit monotone test. Then in Step 
7 of MP2, di must be verified in a range R'. However, there are still two unclear but very important 
details to consider. 

• In as a very important security parameter, K is not defined and its relation to other 
parameters is completely unknown. Obviously, ([2]) is not always guaranteed by ([3]), (j4]) and 
([5]) with any K. To guarantee satisfaction oi K must be appropriately instantiated. We 
believe that K should be set as K^, such that ([3]), dH and ([5]) can guarantee ([2]) due to the 
following reasons. 

^ If AT > ATs, when there exist i, j and k such that pi = pjPk, dS]) can still be satisfied. 
For example, suppose pj and pk are the smallest primes larger than 2^''^~^, then it is 
very possible that their product is smaller than 2^ . So when K > K3, ([2]) cannot be 
guaranteed and thus soundness of the shuffling scheme in [44] fails. 

^ If AT < A'a, when a P7r(j) is larger than 2^ — 1 but smaller than 2^^, the pi generated 
according to the shuffling protocol is larger than 2^ — 1 and thus cannot pass ([3]), 
which means an honest shuffling node cannot pass the verification and correctness of the 
shuffling scheme in [H] fails. 

However, our deduction is not hinted or supported in any way in |44) . 

• An appropriate R' must be chosen to guarantee satisfaction of (j3]). However, there is not 
any hint in [H] about its existence or choosing method. As monotone test is not a general 
solution to range proof and is limited in application, it is unsure whether an appropriate R' 
can be found. 

To confirm our deduction and clarify the mysteries above, we contacted the author of [53]. In 
correspondence with us, the author confirmed our deduction and suggested to add a verification 
to Step 7 of Protocol 2 in his scheme to implement monotone test: di < 2^^~^^^~^^^ . He argues 
that this additional verification can guarantee that no pi can be large enough to be the product 
of two piS. Although the original Protocol 2 is not consistent with monotone test, which requires 
to calculate di in a modulus-free way, MP2 proposed in Section 13.31 can employ monotone test as 
it has modified the calculation di to be modulus-free. We combine MP2 and the additional test 
di < 2^3+^-*+-ft'5 suggested by the author and denote the result as MSBMT (modified shuffling 
based on monotone test), where ([3]) is instantiated into 

_ 2^3 + 1 < < 2^3 _ 1 for J = 1, 2, . . . , AT. (22) 
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4.3 Failure of the Author's Suggestion to Achieve Soundness 

Soundness of MSBMT lies in that the author believes that pi is guaranteed to be in [—2^^+l, 2-'^=* — 1] 
when di < 2-^3+-^4+ii'5^ jg j^jg daim reliable? As monotone test is not a general solution we need to 
check whether it is suitable for the range proof in ()22p . It is determined by whether the shuffling 
node can win the following game. 

1. When running MSBMT the shuffling node chooses ri and pi such that pi ^ [—2^-^ + 1, 2^^ — 1] . 

2. In the course of MSBMT a value is randomly chosen in [2^*^^, 2^* — 1] for the challenge c. 

3. The shuffling node outputs di = cpi + u to satisfy (fTT|) . (fl^. (fnjl and (fTil l. 

4. He wins the game if di happens to be smaller than 2^3+^4+^5 

If the shuffling node can win the game with a non- negligible probability, he can pass the verification 
of MSBMT with invalid pi with a non-negligible probability and thus soundness of MSBMT fails. 
Unfortunately, the shuffling node can always win the game using the following attack. 

1. When running MSBMT the shuffling node chooses an integer pi larger than 2^^ — 1 and then 
a random integer smaller than 2^^'^^'^'^^^ — pi2^^. 

2. When the shuffling node receives an integer c in [2^4-1^ - 1], he outputs di = cpi + r^. 
As ri < 2^^3+^4+ii'5 _ p.2^4^ it is always satisfied that 

d- = cpi + ri< 2^Vi + ri < 2^Vi + 2^3+i^4+X5 _ ^.^k, ^ 2'',+k,+k, 
and he can always win the game. Namely, no matter whether pi is in 

[-2-^3+1^ 2^3 _ 1] or how large 

its absolute value is, no matter which value is chosen from [2^"'"^, 2^'* — 1] as c after the shuffling 
node chooses pi and rj, he can always choose a special to pass the verification in MSBMT. So 
(j22p is not guaranteed in MSBMT. When a pi is no smaller than 2^^ it may be the product of 
multiple piS. When a pi is no smaller than 2^3+i — 1 it can certainly be the product of multiple 
PjS without any doubt. Therefore, soundness of MSBMT is compromised by the attack. 

Maybe the author is careless and forgets to set the lower bound for R' . Maybe when he says di 
must be smaller than 2^3+^s'4+i^5^ j^e actually means di must be in [0, 2^3+^4+i<'5 _ 1]. this case, 
the attack above cannot work. However, another attack against soundness can work as follows. 

1. The shuffling node chooses an invalid positive value for pi. 

2. He chooses n G [-2^4-1^.^ 2^3+^4+ii'5 _ 1 _ (2^4 _ 

3. When being challenged with c, the shuffling node returns a response di = cpi + rj. 

As 

d^ = cpi + r, = cpi + r,< (2^^ _ 1)^. + a^^+^^+i^s _ 1 _ (2i^4 _ i)^. = 

2K3+K4+K5 _ 

di = cp, + n = cp, + n> 2^4-ip. _ 2^4-1^. = 0, 

the attack can succeed on the condition that -2^^-^pi < 2^^+^-^+^^ - 1 - (2^* _ ^nd 
j_2-ft'4-ip^^ 2^3+^4+^5 _ 1 _ (2^** — l)pi] is a valid range. As any pi with an absolute value no 
smaller than 2^3 invalid and 2^^ must be overwhelmingly large (e.g. = 50 in [43]), this 
condition can be satisfied even if pi is much larger than 2^3 _ 
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4.4 Formal Proof of Infeasibility to Fix the Problem 

Although soundness of MSBMT fails with the R' suggested by the author of [33]), optimistic 
opinion may still hope that the failure is caused by inappropriate choice of R' and there may exist 
an appropriate R' for monotone test to guarantee soundness of MSBMT. However, Theorem [1] 
illustrates that as application of monotone test is not general but limited no such R' exists and it 
is impossible to limit the range of pi by checking the size of di in MSBMT. 

Theorem 1 Suppose the absolute value of pi can be guaranteed to be smaller than 2^^ in MSBMT 
when di = cp^(^i'j + rj is in a certain range [A,B], then a contradiction can be found. 

Proof: 

• On one hand, the width of -B] must be smaller than 2^^ (2^^ — 1 — 2^*~^), otherwise 
B-A> 2^3(2^4 _ I _ 2^'4-i) and the shuffling node can attack by choosing an invalid pi as 
Pi = 2^3 and then ri e [A - 2^^-^2^3,B - (2^* _ 1)2^3] _ this attack, with any challenge 

c in [2^4-1^2^4 _ 

di = cpi + ri = c2^3 +ri< (2^* - 1)2^3 + B - (2^* - 1)2^3 = B, 
di = cpi + ri = c2^3 +ri> 2^4-12^3 + ^ _ 2^<'4~i2^3 = A. 

So the attack succeeds if A- 2^^'4-i2^3 < B-{2^''-l)2^^ and [A-2^^-^2^-i ,B-{2^^-l)2^--i] 
is a valid range. 

[B - (2^4 - 1)2^3) _ _ 2^4-12^3) = ^B-A)- (2^4 _ 1 _ 2^4-1)2^3 
> 2-^3(2^4 _ 1 _ 2^4-1) _ (^2^<i _ 1 _ 2-^4-1)2^3 = 0. 

So ^ - 2^4-12^3 <B- (2^4 - 1)2^3 and [A - 2^^'^2^^-^,B - (2^* _ 1)2^3] ig a valid range, 
and thus the attack can succeed. 

• On the other hand, when the width of [A,B] is smaller than 2^^ {2^^ - 1 - 2^^-^^) the 
probability that an honest shuffling node can pass the monotone test is negligible as shown 
in the following. 

1. The honest shuffling node has pi = 

2. The honest shuffling node chooses rj randomly from [0, 2-'^3+^4+^5 _ ]^]^ 

3. When being challenged with c, the honest shuffling node returns a response di = cpi + ri. 

As Tj is randomly chosen from [0, 2^^'^^"-'^^^ — 1], it is uniformly distributed in [0, 2-'^3+^4+^s'5_ 
1]. So no matter how large c is, di is uniformly distributed in a range as wide as 2^3+i<'4+i^5 , 
As the width of [A, B] is smaller than 2-'^3(2-'^4 _ 1 _ 2^4-1 ^ and 2^^ must be overwhelmingly 
large (e.g. = 50 in [15)) di is uniformly distributed in a very large range, in comparison 
with which the width of [A, B] is negligible. So the probability that di falls in [A, B] is 
negligible. 

□ 
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4.5 Unsuitability of Other Range Proof Techniques 

Monotone test has been formally illustrated to be unable to implement the range proof in the 
original shuffling scheme in [44J or MSBMT. So the only way to obtain soundness is to apply 
another range proof technique to MP2 although they are not the choice of the author in |44j . 
Unfortunately, the other existing range proof primitives are much less efficient than monotone test. 
The instances of range proof in [-2-^3 + 2^'-' - 1] (or at least in [2^3-\ 2^3 _ i]) cost 0{N2^-^) 
exponentiations with the original technique in [16j or 0{NK^) exponentiations with its optimisation 
and both are much more costly than the cost of the original shuffling scheme in [44j. Although 
the range proof primitives in [6j and [34j are more efficient, application of N instances of either 
of them is still too costly for shuffiing. As both of them can only work with special commitment 
functions, to employ either of them firstly the shuffiing node must commit to each secret logarithm 
to be proved in the certain range in a special commitment function and then he has to prove that 
the same logarithm is used in the shuffiing protocol and committed in the commitment function 
using zero knowledge proof of equality of discrete logarithms ([13] or its variant). After that the 
range proof primitive in [6] or [34] can be applied and each application cost several exponentiations. 
Not only the cost of the N instances of range proof but also the commitment functions and their 
corresponding proof of equality of logarithms are more costly than the original shuffiing scheme 
in [H]. So employing any other range proof than monotone test will greatly increase the cost in 
computation and communication and leads to an shuffiing scheme much less efficient than most 
existing shuffiing schemes. 

5 Conclusion 

The mix network in [44] fails in correctness, has an unreliable proof of zero knowledge and cannot 
achieve soundness. Although we managed to restore correctness by fixing the proof protocol and 
adopting statistical zero knowledge, soundness is impossible in [14] as a key operation in it, 
instances of range proof, cannot be implemented. As a result, a simple attack can compromise the 
shuffiing scheme. In the shuffiing protocol in [44], not only range proof is not implemented, but also 
the suggested method cannot implement it. Fixing the suggested range proof is impossible, while 
no alternative technique can guarantee soundness of the shuffiing scheme in [H] at a tolerable cost. 
That may be why implementation of range proof is only very vaguely hinted and completely missing 
in the detailed implementation in [53] supposed to be complete although it is very important. Our 
conclusion is that if we cling to monotone test suggested by the author there is no way to guarantee 
soundness. If it is replaced by any other range proof techniques [IllllKSl], the additional operations 
in the N instances of range proof will greatly increase the cost in computation and communication 
and leads to an shuffiing scheme much less efficient than most existing shuffiing schemes. 
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A Drawbacks of [39] and [28] 

There are two drawbacks in [39j. Firstly, [39] only supports a small fraction of all the possible 
permutations. So its privacy is much weaker than that of other shuffiing schemes, which support 
all the possible permutations. Secondly, it requires that the shuffiing node (e.g. tallier) does 
not obtain collusion of the message providers (e.g. voters) and has no knowledge of the shuffied 
messages. So it is impractical in applications with critical requirement on security like political 
e-voting, whose soundness cannot rely on any trust on the participants. 

The shuffiing scheme in p8] employs exceptionally small parameters to improves efficiency of 
|30j . so its soundness is weaker. Firstly, it employs much smaller challenges in its ZK proof than in 
|30j . so its soundness may fail with a much larger (although still regarded small in circumstances 
with looser security requirements) probability. Secondly, it depends on bindingness of a commitment 
function but achieves too weak bindingness in the commitment function. Commitment function 
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com (mi, 7712, • • • ,i^k,^) = Ili=i sT'^^ employed in ^D] where the order of gi, g2, ■ ■ ■ ,gk and h 
is q. Soundness of the three-move proof in [28] is based on an assumption: binding property of 
the commitment function is computationally unbreakable such that in the third move the prover is 
forced to use the unique set of secret integers committed in the first move to generate his response 
to the random challenge in the second move (see the two theorems in |28j for more details of this 
assumption) . It is illustrated and emphasized in [29\ (which employ the same main idea) and 
recognised in [28] that in such proof mechanism soundness of shuffling fails if the commitment is 
not binding and the prover can adjust the committed integers after it receives the challenge. In 
[28] the length of q is only 240 bits for the sake of high efficiency. Note that obtaining log^. gj 
or log^. h is enough to break the binding property of the commitment function, which depends on 
hardness of calculating such discrete logarithms. Therefore, breaking soundness of the shuffling in 
[28j is no harder than calculating a 240-bit discrete logarithm. As a building block claimed to be 
mainly used in electronic voting (which is often a very sensitive political activity and requires very 
high level of security), it is inappropriate for the shuffling protocol to base its security on hardness 
to calculate a 240-bit discrete logarithm, which is commonly regarded to be not hard enough for 
a powerful adversary in the current security standard. In comparison, the other shuffling schemes 
employ bases with much larger orders and base their soundness on hardness to calculate at least 
1024-bit long discrete logarithms. In summary, [28] drastically improves efflciency of [30] by using 
exceptionally small parameters. However, it weakens soundness to an extent intolerable in many 
e- voting applications. 
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